Analysis
-
max time kernel
204s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 19:06
General
-
Target
6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe
-
Size
380KB
-
MD5
9b7a9bb4e16da87e6fc8bfcfd517e18d
-
SHA1
4c0c14a5e7f193b00efd361669261e54126a1a93
-
SHA256
6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33
-
SHA512
1d6426fae9a4d38618eca5bd13f0454991364d2713a4db2a78cbf4f3104926996280a1fec53ffeae89581d98f6075d2222898ac70cbbd182059dda7fe16c66e9
-
SSDEEP
6144:O/N8G7t9c98SlByngsN7oXxXr1ux8DMEhHw81BMq8PF3yYBEgaSf+iHXt1L:O/N8p98SKngqDwq81Bf8PAKFH+i3X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe"C:\Users\Admin\AppData\Local\Temp\6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 7242⤵
- Program crash
-
C:\ProgramData\hC40501FiLaO40501\hC40501FiLaO40501.exe"C:\ProgramData\hC40501FiLaO40501\hC40501FiLaO40501.exe" "C:\Users\Admin\AppData\Local\Temp\6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 7243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3184 -ip 31841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4536 -ip 45361⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hC40501FiLaO40501\hC40501FiLaO40501.exeFilesize
380KB
MD5ff362cfaa2d486a703a6c1766072b2e2
SHA12de85141cbb7fb1848c3df83c8d5996eb6b341ec
SHA2566111e0a5c233e20d06ac39c2bf00833ce81fc91d53310fa6806be32f3b82ffe8
SHA5120fe9b6c972bd3dc417f904fc45dbff55c5eb83dad3d0ab63a54b94ed901a0d620682b5ef5b80600721294ec5b33eb6c42cd83abd772bb8194fb047fc37a55778
-
C:\ProgramData\hC40501FiLaO40501\hC40501FiLaO40501.exeFilesize
380KB
MD5ff362cfaa2d486a703a6c1766072b2e2
SHA12de85141cbb7fb1848c3df83c8d5996eb6b341ec
SHA2566111e0a5c233e20d06ac39c2bf00833ce81fc91d53310fa6806be32f3b82ffe8
SHA5120fe9b6c972bd3dc417f904fc45dbff55c5eb83dad3d0ab63a54b94ed901a0d620682b5ef5b80600721294ec5b33eb6c42cd83abd772bb8194fb047fc37a55778
-
memory/3184-132-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/3184-136-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/4536-133-0x0000000000000000-mapping.dmp
-
memory/4536-137-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB